OpenStack / Cloud / Virtualizaton / Linux

RHEL – How to Encrypt a Partition using Cryptsetup and LUKS

Cryptsetup uses dm-crypt to encrypt a disk at the partition level. In RHEL, cryptsetup is used with Linux Unified Key Setup (LUKS), a disk encryption specification. Mounting a LUKS encrypted partiton requires a passphrase, which can either be passed in a file or via the command line. Read more about dm-crypt here.

Anyway to use crypsetup, you first must have a free partiton on a disk. In this instance I am using /dev/sdc1, which is a freeagent external usb drive.

First initialize the LUKS partition. My target is /dev/sdc1

#cryptsetup luksFormat /dev/sdc1

Then open the LUKS partition setup the dev mapper device. The command below creates /dev/mapper/freeagent

#cryptsetup luksOpen /dev/sdc1 freeagent

Create a passkey file if you want the device to be able to automount at boot.

#touch /root/freeagent_passkey && chmod 600 /root/freeagent_passkey

Make cryptsetup aware of the key

#cryptsetup luksAddKey /dev/sdc1 /root/freeagent_passkey

#echo "mypasskey" > /root/freeagent_passkey

Dont forget to make a filesystem

#mkfs -t ext4 /dev/mapper/freeagent

Then add the following to /etc/fstab…

/dev/mapper/freeagent /freeagent ext4 _netdev 1 1

And add the following to /etc/crypttab. Note that the first entry is the name of the /dev/mapper device

freeagent /dev/sdc1 /freeagent

To get a status on a device and to see the mappings between /dev/mapper and /dev/sdc1

3 thoughts on “RHEL – How to Encrypt a Partition using Cryptsetup and LUKS”

Dear Eng.
I try the procedure you give up, but after finishing it it did not work I try to mount the file system it did not work, also when I restart the machine it did start and say that the file system created on the encrypted partition is invalid
Regards

Thank you for the writeup! I also had problems with the restart of the machine, and getting a failure. I made two corrections.
1) in the line with _netdev, I changed _netdev to defaults
2) Inside of /etc/crypttab, remove the /freeagent
Now my server is mounting properly.